Cross-Border Data Transfer Rules For Corporates
I. Concept of Cross-Border Data Transfer
1. Meaning
Cross-border data transfer refers to the transmission, storage, access, or processing of personal data outside India, including:
Cloud hosting abroad
Shared service centres
Overseas group entities
Global HR, CRM, and analytics systems
For corporates, this is integral to global operations, but poses privacy, sovereignty, and security risks.
II. Statutory Framework Governing Cross-Border Transfers
1. Digital Personal Data Protection Act, 2023
The DPDP Act marks a liberal but sovereign-controlled approach to cross-border data transfers.
Key features:
Cross-border transfer is permitted by default
Subject to negative-listing of restricted jurisdictions
Applies to all Data Fiduciaries, including multinational companies
This departs from earlier data localisation proposals.
III. Legal Basis for Cross-Border Transfer
1. Permissible Grounds
Corporates may transfer personal data abroad where:
Processing is lawful under DPDP Act
Transfer destination is not restricted by Central Government
Adequate safeguards are implemented
Consent alone is not sufficient without compliance safeguards.
IV. Constitutional Limits on Cross-Border Data Flow
Case Law 1: Justice K.S. Puttaswamy v. Union of India
Informational privacy is a fundamental right
Cross-border transfer implicates sovereignty and dignity
Any data movement must satisfy legality, necessity, and proportionality
This judgment underpins regulatory oversight over international data flows.
V. Government Power to Restrict Transfers
1. Negative List Mechanism
The Central Government may:
Restrict transfers to specific countries
Impose conditions for sensitive data
Act in interest of national security or public order
Corporates must monitor notified restrictions.
VI. Purpose Limitation and Data Minimisation in Transfers
1. Corporate Obligations
Before transferring data abroad, corporates must ensure:
Transfer is necessary for declared purpose
Only minimum data is shared
Recipient processes data only as instructed
Case Law 2: People’s Union for Civil Liberties v. Union of India
Excessive or unregulated data sharing violates privacy
Procedural safeguards are mandatory
This principle governs scope and scale of cross-border data transfers.
VII. Data Processor and Intra-Group Transfers
1. Processor Accountability
Overseas processors are treated as extensions of the Data Fiduciary.
Corporates remain liable for:
Breaches abroad
Non-compliance by affiliates
Inadequate contractual controls
Case Law 3: Standard Chartered Bank v. Directorate of Enforcement
Corporate presence across borders does not dilute statutory liability
Parent and group entities can be held accountable
Relevant to multinational data governance structures.
VIII. Employee and Customer Data Transfers
1. HR and Customer Databases
Common cross-border transfers include:
Global HR systems
Payroll processing
Customer analytics
Such transfers require:
Clear privacy notices
Employment-purpose justification
Defined retention limits
Case Law 4: Canara Bank v. Union of India
Personal records enjoy strong privacy protection
Institutional needs cannot override individual privacy
Applied to employee data hosted abroad.
IX. Surveillance, Access, and Foreign Jurisdiction Risks
1. Risk of Foreign Government Access
Cross-border storage may expose data to:
Foreign surveillance laws
Extraterritorial access orders
Corporates must assess jurisdictional risks.
Case Law 5: Kharak Singh v. State of Uttar Pradesh
Intrusive access to personal data violates liberty
Privacy extends to informational control
Supports restrictive interpretation of foreign access to Indian data.
X. Large-Scale and Sensitive Data Transfers
1. Heightened Safeguards
For large-scale or sensitive processing:
Encryption and access controls required
Internal approvals and audits recommended
Breach notification obligations apply
Case Law 6: Justice K.S. Puttaswamy (Aadhaar – II)
Large-scale data handling requires higher safeguards
Purpose limitation and proportionality are non-negotiable
Guides treatment of mass cross-border transfers.
XI. Transparency and Disclosure Obligations
1. Privacy Notice Requirements
Corporates must disclose:
Whether data is transferred abroad
Purpose of transfer
Rights of data principals
Case Law 7: Anuradha Bhasin v. Union of India
Transparency and reasoned decision-making are constitutional mandates
Opaque restrictions or practices are impermissible
Supports transparency in cross-border data practices.
XII. Penalties and Enforcement Exposure
1. Consequences of Non-Compliance
Failure to comply may lead to:
Monetary penalties under DPDP Act
Directions to suspend transfers
Reputational and ESG fallout
No defence of “foreign processor fault” is available.
XIII. Best Practices for Corporate Compliance
Data-transfer impact assessments
Country-risk mapping
Intra-group data transfer policies
Processor contracts with audit rights
Encryption and access-control frameworks
Board-level oversight of global data flows
XIV. Key Takeaways
Cross-border data transfer is permitted but regulated, not unrestricted.
DPDP Act adopts a negative-list sovereignty model.
Corporates remain liable for overseas processing.
Privacy principles apply irrespective of data location.
Employee and customer data need heightened protection.
Cross-border data governance is now a core corporate risk area.
RELATED Blog
comments